You are correct. Anyone who downloads and processes cc details via their own website is required to be compliant, regardless of the PSP, be it PPP or any other.

We don't download the CC details, we simply pass them encrypted to PPP. We never see the CC details. Is this still non compliant in PCI terms?

Never having either heard of it or being told of it is a little different to wanting to turn a blind eye to it all though, you've done little wrong in your situation. It's a big failing that people like yourself have not had this communicated to you though(it's 2 years old nearly). I do think you have a duty to keep in touch with the industry in which you operate to a certain degree though. Get yourself signed up to some online newsletters or magazine subscriptions where these things will be touched upon when they happen.

If you're in the right places at the right times, it has been discussed to death online, hottest topic on here for the past 2 years. If you're not in the right places, i guess it falls down to the people setting the rules to get this out to you guys so you also know.

I can't believe Paypal haven't contacted us about it, we put a lot of money through their site in this way, and also using their virtual terminal (which makes us even less compliant from what I've read today). I get the impression that other IMA providers are being much more proactive to ensue their clients are compliant (possibly too proactive in some instances). I also think Actinic could have done more. We purchased Actinic business less than 2 years ago, and went with PPP integration from the off, infact this was one of the major selling points. There was no mention in the product documentation that this was not PCI compliant, and there have been no emails or communications (to my knowledge) about this directly since.

I fully accept it's my responsibility to know these things, but running a business there is so much to stay in touch with : Tax law, VAT, Payroll, HR law, H&S, Firesafety, COSH, QMS, Employment Law, etc., not to mention actually doing some work that is relevant to our core business. How our online payments are handled is a set it up and forget about it issue. The only reason I had to look back into it is because I got an email from Paypal saying we need to update so we can use 3D secure to take Maestro payments. They didn't even mention PCI compliance, I found out about it by chance when searching for information about 3D secure implementation on this forum.

I'm now looking at other PSPs to process our card transactions, and am considering using the Actinic Payment service. Now I understand the buyer will be taken to their site to handle the card payment which takes the comlpliance issue away for online transactions. But watching the webcast about this product, it also shows that you can do MOTO transactions directly from your desktop where Actinic is installed. From the orders section it opens a browser window and seems to pass the order details to virtual terminal where you can enter the card details manually. Now this is a useful feature, but surely it causes PCI compliance issues, because the card data is now stored on your local machine, and is transmitted over your network and internet connection. Can anyone tell me more about the compliance requirements of using this feature?

Click here for all things PCI DSS including the answer re Actinic Payments and MOTO orders.

Chris

Chris, this is good and detailed. I suspect it's still going to leave people coming here with questions but we can always update it over time.

What I'd like to see is this getting to the stage where we can just direct anyone with questions to that page.

Mike

PS. From what I know, the Security metrics scan is really only good value if done at the rates negotiated by the card companies. Otherwise they can be expensive (as a lot of them are).

There are a couple of sites offering one-off free scans:

1. Comodo/Hackerguardian - http://www.hackerguardian.com/hacker...free_scan.html - Static IP addresses Only.

2. McAfee - http://www.merchantplus.com/partners...nning-partner/ - A google for McAfee Free PCI scan should also bring up a few other McAfee partners offering the free scan, but doesn't appear to be available direct through McAfee.

Most places suggest that quarterly scans are required but the PCI-DSS guide from Streamline states they only require their merchants to have annual scans if they are level 4 companies.
I have used the Comodo/hackrgardian scan on my network and passed on first attempt (they allow upto 6 scans within the frist 90 days of signing up for the free scan).

Darren - I would like to try the Comodo offer on various network options we have here, how does it work if you don't have a fixed IP?

I think I remember reading that the Comodo offering is only suitable for fixed IP addresses and not dynamic ip addresses which was OK for me but could be a problem if you cannot get a static IP address, although you can test upto 3 IP addresses.
This page links through to the FAQs for the scan service - http://www.hackerguardian.com/hackerguardian/faqs.html

I think the McAfee offer is suitable for dynamic IP addresses, although not too sure as I am on a fixed IP so didn't investigate fully.

One of the issues I wonder about the DIY approach is do you then just self certify and do you need to show anything to your card acquirer?

i.e do you just phone them up and say "I've completed the forms and run a test. No problems," or do you have to send off the completed forms and test results to the card acquirer?

Mike

I think this varies from bank to bank.
The Streamline PCI DSS guide states for Level 4 that they require:
and also that:

"apparently level 4, validation 1 (SAQ A) merchants (ie those who pass to a PSP) don't have to complete the form (SAQ A) unless they are required to by their acquiring bank, but they do have to be compliant. PayPal apparently don't require the merchant to complete this form."

http://community.actinic.com/showthread.php?t=45966

#20

I don't know offhand what the position is regarding validation 4 (SAQ C) merchants, ie those who use virtual terminals for MOTO.

We use Lloyds Cardnet, and so far they appear to have only contacted level 1-3 merchants regarding PCI DSS:

http://www.lloydstsbcardnet.com/latest_news.asp

I should have stated that my comments were related to those who need to complete SAQ C and use MOTO and may not apply to PSP only merchants.

OK:

• Comodo/Hackerguardian do not do dynamic network/device/PC IP addresses. This would present difficulties for many offices connecting by broadband.
  
• McAfee do scan dynamic IP addresses, offered 6 free scans, and didn't require credit card details to sign up for a free service (others did....). The control panel is a little tricky, but we passed PCI first time on a couple of networks.

PS

Out of interest we scanned a standalone (ie not networked) netbook connected to the Internet via a built in Vodafone SIM; it passed the PCI test with flying colours. This might be a serious option for accessing a virtual terminal for companies where the main office network is difficult to secure to PCI standards, plus would get round that tricky "The payment application system/Internet device is not connected to any other system within the merchant environment" tick box in SAQ C.......